Nginx

NGINX typically supports two scenarios for configuring multiple certificates: Providing multiple certificate types (e.g., RSA and ECC) for the same domain. Hosting multiple domains on the same IP address, using different certificates selected based on the client-provided SNI. Generating Certificates Use the ssl_cert_chain_tool.sh script to generate a set of valid certificates: # RSA Certificates ssl_cert_chain_tool.sh -a RSA -o a_cert -n a.example.com -u ssl_cert_chain_tool.sh -a RSA -o b_cert -n b.example.com -u ssl_cert_chain_tool.sh -a RSA -o c_cert -n c.example.com -u # ECC Certificates ssl_cert_chain_tool.sh -a ECC -o d_cert -n d.example.com -u ssl_cert_chain_tool.sh -a ECC -o e_cert -n e.example.com -u Support for Multiple Certificate Types http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 0.0.0.0:443 ssl; ssl_protocols TLSv1.3 TLSv1.2; server_name a.example.com b.example.com c.example.com d.example.com e.example.com; ssl_prefer_server_ciphers on; # RSA and ECC Certificates ssl_certificate a_cert/server.cert.pem; ssl_certificate_key a_cert/server.key.pem; ssl_certificate e_cert/server.cert.pem; ssl_certificate_key e_cert/server.key.pem; ssl_certificate d_cert/server.cert.pem; ssl_certificate_key d_cert/server.key.pem; ssl_certificate c_cert/server.cert.pem; ssl_certificate_key c_cert/server.key.pem; ssl_certificate b_cert/server.cert.pem; ssl_certificate_key b_cert/server.key.pem; location / { return 200 'Multi-certificates test\n'; } } } During the handshake process, the server selects the appropriate certificate based on the signature algorithm. OpenSSL handles this in the tls_post_process_client_hello->tls_choose_sigalg function, which processes the client hello message and selects the most suitable certificate based on the signature algorithms and the server’s configuration. ...

NGINX 配置多个证书一般有两种场景： 同一个域名下提供多种类型证书，如RSA，ECC证书 多个域名部署在同一个IP，使用多个不同证书， 根据客户端上送SNI选择证书 生成证书 使用 ssl_cert_chain_tool.sh 生成一组正式证书 RSA 类型证书 ssl_cert_chain_tool.sh -a RSA -o a_cert -n a.example.com -u ssl_cert_chain_tool.sh -a RSA -o b_cert -n b.example.com -u ssl_cert_chain_tool.sh -a RSA -o c_cert -n c.example.com -u ECC 类型证书 ssl_cert_chain_tool.sh -a ECC -o d_cert -n d.example.com -u ssl_cert_chain_tool.sh -a ECC -o e_cert -n e.example.com -u 支持多种类型证书 http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 0.0.0.0:443 ssl; ssl_protocols TLSv1.3 TLSv1.2; server_name a.example.com b.example.com c.example.com d.example.com e.example.com; ssl_prefer_server_ciphers on; # RSA and ECC Certificates ssl_certificate a_cert/server.cert.pem; ssl_certificate_key a_cert/server.key.pem; ssl_certificate e_cert/server.cert.pem; ssl_certificate_key e_cert/server.key.pem; ssl_certificate d_cert/server.cert.pem; ssl_certificate_key d_cert/server.key.pem; ssl_certificate c_cert/server.cert.pem; ssl_certificate_key c_cert/server.key.pem; ssl_certificate b_cert/server.cert.pem; ssl_certificate_key b_cert/server.key.pem; location / { return 200 'Multi-certificates test\n'; } } } 客户端与服务端握手时根据签名算法选择合适的证书， openssl 中使用tls_post_process_client_hello->tls_choose_sigalg 针对收到client hello报文后进行处理，上送的签名算法和服务端配置选择合适的证书。 ...